You are here

Vulnerability Co-ordination Pilot

If you’ve been following our blog recently, you’ll be aware of several new measures that the NCSC has launched to help improve the security maturity of organisations, and we’re pleased to be announcing the launch of another: the NCSC Vulnerability Co-ordination pilot.

Since the NCSC opened in October 2016, many of our customers have been asking what role we have to play in handling vulnerabilities disclosed within government systems. Behind the scenes we’ve been working on a pilot that we’re launching today.

Having a recognised process around the handling of vulnerability disclosures is definitely an important part of any organisation’s security maturity. Added to that, many might not realise that there is actually an ISO standard to support what 'good' looks like for vulnerability disclosure. This standard is freely available: ISO/IEC 29147: Vulnerability Disclosure.

Where does NCSC fit in?

In this respect, UK Government is no different to any other organisation and should adopt a mature approach to vulnerability disclosures, wherever they come from. We’ve handled disclosed vulnerabilities in the past via GovCert and CERT-UK, but the disclosure process has never been quite as smooth as we would have wanted. We’re now taking the opportunity to redesign our approach. As part of our Active Cyber Defence work we will be trying out a new way for you to report vulnerabilities to us, so that we can efficiently receive, triage and work to remediate the vulnerabilities that are disclosed to us.

As a pilot, we are going to learn by doing, so want to scope the work so that we’re not initially overloaded. As such, over the next few months we will be working with an invited group of UK-based security practitioners to help us to identify and resolve vulnerabilities across three publicly facing systems used in UK Public Sector. To help us get this right we are working with LutaSecurity for advice and will look to use a recognised platform for vulnerability co-ordination.

One of the key parts of this, for me, is that we can recognise the positive impact of receiving vulnerability reports from the external security community. However, we know this is not a silver bullet and it should definitely not be a substitute for sustained efforts like penetration testing, internal security reviews and patching. All of these other activities will continue to be fully used to help keep our systems secure.

The disclosure pilot will be running for the next few months, and at the end of it we will be presenting back some of the results – and importantly, some of the lessons we learnt along the way.

We’re hoping that this will be the start of a journey to ensure that we have an effective, mature approach, across all of the public sector, to handle the disclosure of security vulnerabilities in our systems and services.